On November 26, 2012, the Office for Civil Rights (OCR) within the Department of Health and Human Services released new Guidance on De-identification of Protected Health Information. The new Guidance provides covered entities—defined as certain health care providers, health care clearinghouses, or health plans—with specific tools and techniques for de-identifying health information using the two methods set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The new Guidance addresses key questions and provides examples that help clarify the Privacy Rule’s two de-identification standards. The Guidance included input from an OCR workshop convened in March 2010 to tackle specific topics related to the two methods of de-identification of data addressed in HIPAA’s Privacy Rule.
In its report Privacy and Progress in Whole Genome Sequencing, the Presidential Commission for the Study of Bioethical Issues focused on the privacy issues associated with whole genome sequencing. These privacy issues are particularly relevant given more widespread sharing of whole genome sequencing data, both in the clinic and in research.
Several federal laws—including HIPAA—protect identifiable health information that can be linked to an individual person. HIPAA requires that consent be obtained before protected health information—medical information that identifies a particular person—can be shared in certain circumstances. Once health information is de-identified, the information is no longer subject to the Privacy Rule’s restrictions and can be shared without consent. The question remains, however, whether whole genome sequence data can actually be de-identified or should be considered de-identified for purposes of HIPAA’s protections.
The new Guidance provides explanations and clarification about the two ways in which protected health information can be de-identified, as initially set forth in the HIPAA Privacy Rule: the Expert Determination method and the Safe Harbor method. The Expert Determination method requires an expert to apply statistical methods and principles to de-identify the data and determine that the risk that the data could be linked to an individual is “very small.” The Safe Harbor method requires that covered entities remove all identifiers (such as name, date of birth, Social Security Number) that might link an individual to their information. Under the Safe Harbor method, covered entities must also have no actual knowledge that the health information, alone or in combination with other information (e.g., public voter registration records), can link a particular individual to the disclosed health information. In some cases, these methods minimize the risks to individual privacy and allow scientists to have access to large databases for their research.
While this Guidance clarifies some of the questions surrounding the de-identification methods, it remains silent on the de-identification of whole genome sequencing data. Even though the issues surrounding the de-identification of whole genome sequencing data have become more acute over the past two and a half years that OCR has considered this Guidance, it nevertheless remains critical that regulations and guidance respond to the rapid advancement of science, such as whole genome sequencing.